In December 2022 we started exploring the 11 recent updates to the certification framework for information management systems, ISO 27001:2022. December's article covered secure coding, monitoring activities and threat intelligence.
This month, the Canberra Cyber Hub sat down with Sasha Hajenko from Blue Phoenix Systems to learn more about the ISO 27001:2022 updates, namely the new guidelines pertaining to ICT readiness for business continuity and physical security monitoring.
ICT readiness for business continuity
Business continuity planning is a key piece of governance for any business. Environmental factors such as floods and fires, utility interruptions, hardware failure, security incidents and various other adverse situations can impact the stability and continued operations of a business and the information systems that underpin these operations.
Planning for these adverse situations ensures that a business is ready to deal with these disruptions when they occur. Without proper planning, attempting to bring systems back online without clear direction and priorities can result in wasted resources, increased costs, and can extend the time it takes to return to normal operations.
The business continuity controls from ISO 27001:2013 were primarily focused on maintaining information security during business continuity incidents.
With the release of ISO 27001:2022, the existing controls were retained, and a new control has been added - ICT readiness for business continuity.
This new control is focused on ensuring the availability of information systems during disruptions so that businesses can respond to and recover from disruption to ICT services regardless of the cause.
Planning for business continuity involves first analysing core business activities through a Business Impact Analysis (BIA) to and gather the information needed to develop recovery strategies for these business activities. The BIA is used to predict the consequences of disruptions and to determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for business activities and the information systems that support them.
The RTO is the maximum time from the start of the disruption to the point where normal operations resume and is a driver of the recovery prioritisation of business activities in a continuity event. The RPO is the maximum age of files or systems supporting business activities that must be restored from backups before the potential for data loss exceeds business requirements, ensuring the frequency and type of backups for systems is aligned with those requirements.
Once the BIA is completed, it is used to develop a plan of continuity actions and capacity requirements to ensure continued operations of business activities during disruptions, and details of response and recovery actions to allow the business to return to normal operations once the continuity event has passed.
Of course, planning is one thing, but if you don’t test your plans and your backups, how do you know they will work when you need them? Regularly evaluating and testing your continuity plans and verifying your backups can meet RTO and RPO timeframes ensures they remain reliable and relevant. This evaluation and testing should also be carried out following any major system changes or implementation of new systems.
Investing the time and effort into developing and maintaining your readiness for business continuity ensures you are prepared with strategies that consider options before, during, and after disruption.
Physical security monitoring
One of the new controls introduced to ISO 27001:2022 Annex A is physical security monitoring. Physical security - that of premises, secure areas, server rooms and the like, is an important aspect of information security. You can have the best-of-breed security software, firewalls and more, but if someone can gain access to IT hardware or hard-copy documents, many of these controls are no longer effective.
The addition of physical security monitoring to ISO 27001:2022 requires that organisations not only define security perimeters, control entry to these perimeters, and maintain the security of areas such as offices, rooms, and facilities inside these perimeters where appropriate, they must also monitor these security perimeters and areas for unauthorised access.
The monitoring of premises can be achieved in many ways, including guards, intruder alarms, video monitoring systems such as closed-circuit television (CCTV), and security management software either managed internally or by a monitoring service provider.
When designing security monitoring for buildings and areas that house critical systems, these areas must be continuously monitored by CCTV, infrared motion detectors and other forms of preventive or detective controls to deter, repel or detect intruders.
When developing monitoring systems, information about the design and configuration must be kept confidential to prevent knowledge of the surveillance and monitoring systems being used to facilitate undetected unauthorised access. Further, once monitoring systems have been implemented, they must be protected from unauthorised access as this may lead to the systems being disabled or otherwise compromised.
When installing any monitoring system, it is important to be aware of local laws and regulations regarding the recording and monitoring of personnel, including data protection and PII protection requirements, and video retention periods.